Installing ISP-fw (Firewall) On Linux

ISP-fW is a firewall script that provides port forwarding, packet filtering, stateful packet inspection, port redirection, masquerading, SNAT/ DNAT, TOS, and never the last it generates htb rules for bandwidth management. With ISP-fw, you can turn a PC into a gateway with shaping capabilities.

Let's begin:

I will assume that you have installed Linux on your box. I use a Debian machine so this tutorial will be for Debian Linux but should not differ much from the rest of the distros.

1. Requirements:

 - GNU/Linux distribution;
 - GCC 3.4.6 compiler;
 - Iproute2 (the latest version is recommended (http://linux-net.osdl.org/index.php/Iproute2);
 - Linux Kernel 2.4.32 or 2.6.16 (www.kernel.org);
 - dialog (the latest version from http://invisible-island.net/dialog/);
 - flex version 2.5.4a; (not above)
 - iptables v1.2.11 or above;
 - DHCP (the latest version from  ftp://ftp.isc.org/isc/dhcp/);
 - Apache and php (required for webISP);
 - ZendOptimizer 3.x (required for webISP);
 - mySQL 4.x (required for webISP);
 - MRTG (required for webISP);
 - IPFM (required for webISP).

For shaping you have to enable QoS for your kernel; this the list for 2.4.x and 2.6.x:

Linux Kernel 2.4.32 ( http://www.kernel.org )
----------------------------------------------

If you compile the Kernel from the sources, you will need to select the following options:

#
# QoS and/or fair queuing
#
CONFIG_NET_SCHED=y
CONFIG_NET_SCH_CBQ=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_SCH_CSZ=m
CONFIG_NET_SCH_HFSC=m
CONFIG_NET_SCH_PRIO=m
CONFIG_NET_SCH_RED=m
CONFIG_NET_SCH_SFQ=m
CONFIG_NET_SCH_TEQL=m
CONFIG_NET_SCH_TBF=m
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_SCH_INGRESS=m
CONFIG_NET_QOS=y
CONFIG_NET_ESTIMATOR=y
CONFIG_NET_CLS=y
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=m
CONFIG_NET_CLS_ROUTE=y
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
CONFIG_NET_CLS_RSVP=m
CONFIG_NET_CLS_RSVP6=m
CONFIG_NET_CLS_POLICE=y

Linux Kernel 2.6.16 ( http://www.kernel.org )
------------------------------------------------

If you compile the kernel from the sources, you will need to select the following options:

#
# QoS and/or fair queuing
#
CONFIG_NET_SCHED=y
CONFIG_NET_SCH_CLK_JIFFIES=y
# CONFIG_NET_SCH_CLK_GETTIMEOFDAY is not set
# CONFIG_NET_SCH_CLK_CPU is not set

#
# Queuing/Scheduling
#
CONFIG_NET_SCH_CBQ=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_SCH_HFSC=m
CONFIG_NET_SCH_PRIO=m
CONFIG_NET_SCH_RED=m
CONFIG_NET_SCH_SFQ=m
CONFIG_NET_SCH_TEQL=m
CONFIG_NET_SCH_TBF=m
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_INGRESS=m
#
# Classification
#
CONFIG_NET_CLS=y
CONFIG_NET_CLS_BASIC=m
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=y
CONFIG_NET_CLS_ROUTE=y
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
CONFIG_CLS_U32_PERF=y
CONFIG_CLS_U32_MARK=y
CONFIG_NET_CLS_RSVP=m
CONFIG_NET_CLS_RSVP6=m
CONFIG_NET_EMATCH=y
CONFIG_NET_EMATCH_STACK=32
CONFIG_NET_EMATCH_CMP=m
CONFIG_NET_EMATCH_NBYTE=m
CONFIG_NET_EMATCH_U32=m
CONFIG_NET_EMATCH_META=m
CONFIG_NET_EMATCH_TEXT=m
CONFIG_NET_CLS_ACT=y
CONFIG_NET_ACT_POLICE=m
CONFIG_NET_ACT_GACT=y
CONFIG_GACT_PROB=y
CONFIG_NET_ACT_MIRRED=m
CONFIG_NET_ACT_IPT=m
CONFIG_NET_ACT_PEDIT=m
CONFIG_NET_ACT_SIMP=m
CONFIG_NET_CLS_IND=y
CONFIG_NET_ESTIMATOR=y

!!! NOTE !!!
To successfully use mark_in_u32 you MUST use at least the kernel 2.6.16.

2. Download and install isp-fw from http://isp-fw.sourceforge.net

root@htb:~# wget http://kent.dl.sourceforge.net/sourceforge/isp-fw/ispfw-9.5-rc1.deb

root@htb:~# mysql -u user -p password
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create database ispfw;
Query OK, 1 row affected (0.00 sec)

mysql> quit
Bye

root@htb:~# dpkg -i ispfw-9.5-rc1.deb

SQL host [localhost]:
SQL user [root]: ispfw
SQL pass [changeme]: ****
SQL db [ispfw]: ispfw
Admin user for webpage [admin]: admin
Admin password for webpage [changeme]: ****
Installation successful.
Edit /var/www/webisp/include/config.php.
Change in php.ini session.auto_start to 1
Note that you need to install zendOptimizer http://www.zend.com/free_download/optimizer

You're done installing ISP-fW. Let's go to the configuration.

3. Configure ISP-fW

Edit /etc/isp-fw/firewall.conf to your needs (you can use isped fireconfig from the console to trigger the file). A more explained example can be found in the docs or http://isp-fw.wiki.sourceforge.net/Config-Examples.

#generated by setup, see docs/cfg/
network_name = Example
domain = example.com
default_editor = vi
default_ipt_policy = ACCEPT
net_interface = eth0
lan_interface = eth1
net_ip = 45.93.203.4
clone_mac = no
gateway = 45.93.203.1
subnet = 255.255.255.0
fake_mac = 00:0D:A1:D9:D2:DA
download = start
upload = start
bandwith = 2048 kbps
burst = 0
qdisc = sfq
bgp_file = none
htb_mode = none
ssh_all = no 
#I set ssh_all to no, if so you have to enter a list of ips in /etc/isp-fw/ssh.allow
ssh_port = 22
use_squid = no
squid_port = 3128
load_custom = no
masquerade = yes
update_hosts = yes
optimize = yes
opt_conntrack = auto
mac_filter = no
auto_redirect = no
my_web = 1234
block_traceroute = no
flood = no
no_port_scan = no
ping_protection = yes
max_conn_per_port =
use_dhcp = yes

#DHCP section
class = 10.10.10.0/255.255.255.0
router = 10.10.10.1
range = 10.10.10.1 10.10.10.254
broadcast = 10.10.10.255
dns = 10.10.10.1, 10.10.10.2
wins = 10.10.10.2

/etc/isp-fw/spam.conf - here you enter blacklisted IP(s)
/etc/isp-fw/badports.conf - here you enter blacklisted port(s)
/etc/isp-fw/port.allow - here you enter port(s) that you want to accept
/etc/isp-fw/ssh.allow - here you enter ip(s) that you want to allow to ssh

4. Adding clients to ISP-fW

You can add files by using the command isped clienti:

root@htb:~# isped clienti

Now if you have NAT on your network be sure to have the option masquerade = yes, here's how the file looks:

#CAUTION dont leave blank fields! See docs/cfg/clienti.* for more info
#MAC              IP-LAN      IP-NET  MINE/MAXE/MINM/MAXM NAME
00:0E:2E:1F:E7:FA 10.10.10.2 0.0.0.0 16/128/1024/1024      Tom
00:0E:2E:1F:E1:AA 10.10.10.3 0.0.0.0 16/512/1024/1024      Britney
#00:01:1A:1A:AA:AA 10.10.10.4 0.0.0.0 16/512/1024/1024     Alice
#END

If have your own class of IPs from arin or any other registrant be sure to set masquerade = no.

For this example will assume that we have the class 9.10.11.0/24 allocated.

#CAUTION dont leave blank fields! See docs/cfg/clienti.* for more info
00:0E:2E:1F:E7:FA 0.0.0.0 9.10.11.2 16/32/128/1024 Tom
00:02:AA:11:B2:AC 0.0.0.0 9.10.11.3 16/32/256/2048 Britney
#00:01:AA:03:04:05 0.0.0.0 9.10.11.4 16/32/256/2048 Alice
#END

Tips

The "16/32/128/1024"  means that Tom has for external bandwidth 16 kbps minimum guaranteed and 32 kbps maximum; for metropolitan networks 128kbps minimum and 1024 kbps maximum.

The "#" sign means that the client is disabled, therefore it doesn't have internet access.

The "#>" sign means that the client is redirected to your customized suspended web page

Now to start the program just type

ispfw start